Taiwan Citizen Digital Certificate

Taiwan has a very interesting attitude towards technology (for better or worse), and it is fun to try out anything new that comes up here (for a certain definition of “fun”). When the news hit late last month, that the National Immigration Agency opens Internet ID application to foreign residents, I was there to get mine as soon as it was available. The “Internet ID” refers to a “Citizen Digital Certificate”, also called MOICA, a smart card that supposed to make a lot of services available through a web browser or other government-produced software (e.g. filing taxes online). For Taiwanese citizens MOICA seems to be available at least since 2003 (according to the news report I’ve managed to dig up), but this is the first time it available for us foreigners living here.

In this rather graphic post I try to summarize the process of getting a MOICA card as a foreigner in Taiwan, setting it up, and some (opinionated) lessons to learn from it.

The Process

The process of getting and setting up the card is outlined in this leaflet that I’ve picked up.

Though – not surprisingly – in practice everything is a lot more complicated than these 8 bulletpoints.

There’s also a Chinese version of this leaflet, just for the record.

Registration

As it is included in the National Immigration Agency’s (NIA) own announcement, the process is kicked off by visiting one of the service centers (here’s a list, but people generally know which center they belong to, they have to), and requesting the card. Even though I was applying (in the Taipei center) on one of the first days when it was available, there was no surprise or difficulty. Picked up a number, the at the counter forms were filled out for me all digitally, and then got a receipt like this (sensitive info blacked out here):

It included my application number, name, email, phone number, and a registration code (the last blacked out line) which was needed for the online payment. This is because, for some reason, the bill cannot be settled at the time of the application, but needed to be done online.

Payment

The card is only sent out to me after the online payment, and if no cash is received in 14 days, the application is cancelled. Thus I wanted to settle things very quickly. Originally I thought, based on the info I’ve received at the NIA that I will receive an email or other electronic communication with further info on how to pay. Instead, for the next 2-3 days I got a daily nudge message that I need to pay, but no information on how.

Visiting the MOICA website for foreigners (“aliens”) does not make me smarter, it looks like this below, with a couple of options on the side, but no “PAY HERE” or similar.

After one and a half weeks the time was running out for the application, so gave in and called the 0800-080-117 number from the message for help. They did help: see the funny looking Chinese-only banner with two cartoon figures? Have to click that, and then go onto this Chinese-only interface to continue.

Using the code from the receipt and logging in, there was an online payment interface. I really should have taken a screenshot, but so taken aback by it, that I forgot. It’s a HTTPS page (for a change), with big (Chinese-only) announcement that “because the site uses SSL your data is completely safe and nothing to worry about”, plus Chrome giving me a big security warning that the website’s SSL settings are vulnerable. Who do you trust in this situation? Rhetorical question: of course Chrome but still pay the government…

At least their messaging service works a lot better than their website, within seconds I got dual language notification that the credit card payment went through fine.

There’s not much to do after this, but wait till the postman arrives with the card.

Card Activation

The card arrived with two page of instructions, sticked in the middle, highlighting the security features of the card.

On a side note, not sure how all these visual security features (which likely serve paper bills well) help with computer security, since the only important part of that card is the chip inside, but I digress.

The minimum system requirements are Windows XP SP3 and IE 6.0. I’m using Linux, but fortunately have an XP in VirtualBox, and Internet Explorer on it, so might just work. The instructions said to go to the MOICA website again, and activate the card there. Except, there was no activation-related menu there at all, and the instructions remain tight-lipped. I was hoping that the back-side of the instructions, that are in Chinese, will contain some clues, though it turns out that they are even less useful, if that’s possible.

It’s time for another phone call to the 0800 number, and turns out that the “helper kids” are the ones we need again. Clicking that Chinese-only banner on the otherwise dual-language website brings up the page that I used earlier, but now instead of logging in, have to click the last menu point on the left, saying 憑證IC卡開卡. That takes me back to a page that looks very similar to the original MOICA page – except the menu is full. Indeed, the first page only contains “Commonly Used Functions” in the menu and have to do this extra trip to get a complete list of available “Certificate Procedure“[sic].

Here the activation can begin in earnest. First steps are:

• the site prompting for the install of half-a-dozen plugins,
• there’s an external program for the card reader smart card functions called HiCOS (get it from the download page)
• besides the card reader’s own drivers (I have an EasyATM Pocket Reader 111, seem to work well both in Linux and Windows)
• and a “gcms-plugin” linked from the activation page, what this does is unclear to me.

Most of these are also outlined (in Chinese) on one of the helper pages.

I did all this, loaded the card data (取得資料), filled out the page’s form, and submitted (the 開卡 button, “enable card”), but the process just hung there for about 5 minutes without any result. Tried more times that I probably should have…

One difficulty is that the page asks to “enter” subscriber code, and “set” PIN code: I didn’t know any subscriber code (probably meaning “username”), and “enter” is not “set” but who knows how the translations work on these sites?

On the page there was a link to help if things don’t work, which takes us to the MOICA blog, lo and behold:

This doesn’t strike me with a lot of confidence. Not just that it’s all in Chinese, the post is more than a year old, the color scheme is going crazy, and basically doesn’t contain any new info. Mainly it’s about using an external site (together with advertisements) for an important information like this.

Further down the page there was another link to even more help on this blog to how to set things up for the MOICA site to work with the smart card reader.

The info is in Chinese, but more or less says this:

• Enable compatibility mode in IE for moica.nat.gov.tw and  61.60.9.42,
• In Internet Options / Security / Trusted Sites / Sites disable “require server verification (https:) for all sites in this zone”, and add moica.nat.gov.tw and  61.60.9.42 to the trusted sites
• Internet Options / Security / Trusted Sites / Custom Level enable everything releated to ActiveX (in my opinion, set to “Prompt” instead of “Enable” whenever possible)
• Clear cookies and browser data and try afresh

This is pretty horrifying again, but what to do, have to make that card work somehow. The IP in that list is actually the IP where the form is served, within an iframe on the MOICA site… No security, open everything if you want to use the card.

The final comment on the page says, that if the activation form still hangs, then something is still not set up correctly. Of course my form was still hanging, but I was quite confident, that I haven’t missed any part of the setup. It’s time change strategy: to put myself into the shoes of the developer of a system like this. Imagining it as someone is making a site to technical specs only but not for usability, I was questioning what functions I might need. Looking through the menu, there is a “How to change subscriber code” page – and it does not ask for existing subscriber code, only other information! So it is more like resetting a forgotten code/password, this might be what I need!

On that page I’ve added my Alien Residency Certificate number, date of birth, and my MOICA card’s number as requested, and got a brand new subscriber code.

Putting this new subscriber code into the activation page, setting a PIN and finished in a second like a charm: Success! The activation was also verified by going on the Certificate Query page (using the 64-digit certificate serial number from the Activation page that can load the card data):

The lesson seem to be, unless I’ve missed something, that a subscriber code needs to be created first (not mentioned in the help), and the activation page hangs on all kinds of issues such as missing/wrong subscriber number as well, not just when the technical setup is incorrect.

Now what can I use this card for? I’ve seen some articles saying that there are 3000 different services to be used with, but I guess that’s only sort of correct. The FAQ says:

[…] electronic highway drivers services, tax filing, internet application system of the Labor Insurance Bureau, electronic gateway of the Land Administration, household registration internet applications, ChungHwa Telecom mobile phone (citywide) query, company online application system of the Ministry of Economic Affairs, public safety inspection system for buildings, internet customs clearance system for air cargoes, 1988 tax information instant messaging, and so on.

Foreigners cannot do tax filing for the 2015 tax year (just being filed now till the end of this month), but should be good from next year (I’m using my stock trading file-based certificate so I’m good to file online anyways). Other uses I guess need some exploration.

Endnotes

Tech

I haven’t really used smart cards for anything so far, the only other one is the National Health Insurance card earlier this month, that was a tiny bit more straightforward, and sort of immediately useful.

Under Linux I can use pcsc-tools and the CCID hardware driver for my reader to get some info about the card’s hardware, for what it’s worth:

Thu May 26 15:23:24 2016
Reader 0: Generic USB2.0-CRW [Smart Card Reader Interface] (20070818000000000) 00 00
  Card state: Card inserted, 
  ATR: 3B B8 13 00 81 31 FA 52 43 48 54 4D 4F 49 43 41 A5

ATR: 3B B8 13 00 81 31 FA 52 43 48 54 4D 4F 49 43 41 A5
+ TS = 3B --> Direct Convention
+ T0 = B8, Y(1): 1011, K: 8 (historical bytes)
  TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
    43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
-----
  TA(3) = FA --> IFSC: 250
  TB(3) = 52 --> Block Waiting Integer: 5 - Character Waiting Integer: 2
+ Historical bytes: 43 48 54 4D 4F 49 43 41
  Category indicator byte: 43 (proprietary format)
+ TCK = A5 (correct checksum)

Possibly identified card (using /home/user/.cache/smartcard_list.txt):
3B B8 13 00 81 31 FA 52 43 48 54 4D 4F 49 43 41 A5
	citizen digital certificate (PKI)
	http://moica.nat.gov.tw/

Regarding the websites and web services in general I see more issues than good sides:

Chinese and English are used in a very strange way. English translation is often uninformative (at best, misleading at worst), or missing. Sometimes resetting a form changes all the labels into Chinese, the relevant FAQs are often in Chinese…. All this wouldn’t be a problem, if it wasn’t advertised to be usable in English too. So far it’s about a 20% solution. Getting people to translate, doing consistent writing, not having text in images (so copy-paste translation can work as a last resort), and just thinking about the users in general would go a long way.

Paper documentation and blog that contains help and advice is out of date and incomplete. The website has changed since the screenshots, IE has changed since the screenshots, not all steps are described, some technical info is not presented in enough detail to make it work easily. This is again I think an issue of low manpower for maintenance and people not putting themselves into the user’s shoes when writing documentation (that’s a common issue in all tech).

The site’s front page showing Commonly Used Functions only, and no apparent way to see all functions. That’s just a big usability issue (people needing to call to use the website), that should come up if they check what people call them about. So I guess there’s no monitoring and review of support calls or no feedback to the site design.

A big no-no is not having SSL enabled everywhere, it would be so easy to do. Chunghwa Telecom that they used for some of the smart card software development is the local Certificate Authority and the government has its own too, can’t imagine why there isn’t security set up. There’s even Let’s Encrypt for last resort now, so no excuses. Those pages that have SSL setup seems to be done by people who are not familiar with it, or not maintaining it properly. It’s a big misconception that “if HTTPS is in the URL, then the communication is secure”. In the public sector good sysadmins don’t fall for this, so the government and public sector need to step up their efforts. Staying with this immature security thinking will just lead to more issues (such as the just hacked Chungwa Post).

Using IP address-only designation and iframes for the smart card functions is also baffles my mind. I cannot imagine legitimate technical reasons for that, would be happy to hear if anyone knows one. Right now it looks like an alpha-quality software.

Relying on ActiveX for all these functions obviously is the result of the age of the project but it is definitely not future proof. Win 10 and the latest IE drops ActiveX as well, so there are no up-to-date systems that could use this smart card functionality. How many people will keep an XP around just to use the government websites? (The answer is probably not many and still more than should be).

Alternatives

With all this technical background, I really feel that this is a dead-end solution, which might work for a while still but has no future. To have a future, it needs to break from ActiveX, and go cross-platform too. Probably would need to break from the smart card format as well (at least as it is now). I’m in no way an expert in this area, these are some ideas based on my experience so far.

If trying to keep such certificate-based services around, then there has to be some serious research put into either how to use smart cards better (maybe based on OpenSC?), or change hardware. I’m thinking something like Yubikey could be an interesting model, especially with it’s Personal Identity Verification PIV support. Probably PIV and the related standards (that I have very tiny idea about so far) would be a viable path to look at.

Another alternative comes to my mind thinking about how bank logins work in some countries, using a Two-Factor Authentication (2FA) device that generates a one-time password for logging in. I see the model of this good in the sense of not having any hardware attached to the computer so it’s by default cross-platform and much less setup. Of course 2FA alone is surely not enough (eg. if electronic signature functions are used with MOICA), but the current model also just seem to be a 2FA (the factors are the card and the pin) login for the services. Maybe a mixed model, with simplicity in mind would be a good path.

Future

The idea of MOICA is fundamentally good, and pretty much inevitable in one form or another. The main thing would be thinking over the use cases and user experience a lot better. It is an interesting project, to a level that I almost wish I could work on this: technology development, QA, user & system testing, project development consulting, security enhancement, evaluation… It is unlikely to happen, so I really-really hope the Taiwan government (ie. the relevant ministries) have a decent sized and quality team working on this. Otherwise…. disaster and/or becoming irrelevant is also pretty much inevitable, only question is time.

Would love to hear if anyone else goes through this process and what do they use your cards for?